WifiWave2 Guest network with external router for DHCP

YvesVO · June 23, 2023, 12:58pm

Hi there … I seem to need some help …
Some weeks ago I bought two hAP ax² and one RB2011iL (I started out with one hAP ax² and liked it so much i instantly bought stuff to replace or add to my existing network hardware)
At this point my network looks a bit like this: (basically, a router behind my modem, a switch and two access-points to handle between 15 and 34 devices)

What I’m trying to do is create some guest networks on top of my existing Wifi-network for some real life applications and just for fun.
I’ve been watching just about every tutorial on Mikrotik Guest networks I could find and I’ve tried them all … but it would seem there is a bit of a difference between the regular Wifi-interfaces and the Wifiwave2 wireless networks (that is the only thing available on hAP ax2 it seems)…
I"ve created a working set of DHCP-servers (VLANs) on the router (RB2011iL) but I can’t for the life of me get the new vlans (and SSID’s) I’ve created on the access-points to get an IP-address from the router and get to the internet via said router …
I can create the Wifi-configurations that seem to work (locally on one AP) but when it comes to connecting to the router, I seem to be missing something (probably some insight).
After every failed attempt I restore a working backup of the working base-setup in order not to “pollute” the setup with a lot of left-overs from failed attempts …
So now my system has a router with 4 DHCP-servers (tested and working by connecting to a port and setting that port as part of the VLAN I wanted to test). All other Mikrotik devices are only using the regular setup as an access-point for one network …
Could someone please help me, point me to the right resources or explain to me what I might be doing wrong… open my eyes with a simple explanation about how these things work (I understand in broad strokes but seem to be missing the Aha-factor, the missing link that makes it all clear to me).

YvesVO · June 26, 2023, 6:42pm

at this moment I have a setup that works for one SSID (default setup) but there are 3 VLANs on the hAP ax²’s that can’t make contact with their counterparts in the router …
These are the configs.
KING (router):

# 2023-06-26 20:17:17 by RouterOS 7.10
# software id = D87A-VNCJ
#
# model = RB2011iL
# serial number = HDK08NS38PP
/caps-man channel
add control-channel-width=20mhz frequency=2412 name=VO-2.4-CH01 \
    skip-dfs-channels=no
add control-channel-width=20mhz frequency=2462 name=VO-2.4-CH11 \
    skip-dfs-channels=no
add control-channel-width=40mhz-turbo frequency=5200 name=VO-5-CH040 \
    skip-dfs-channels=no
add control-channel-width=40mhz-turbo frequency=5805 name=VO-5-CH161 \
    skip-dfs-channels=no
add control-channel-width=20mhz frequency=2437 name=VO-2.4-CH06
/interface bridge
add name=BLUE-BRIDGE
add name=GREEN-BRIDGE
add name=RED-BRIDGE
add admin-mac=48:A9:8A:27:CD:AD auto-mac=no comment=defconf name=bridge-local
/interface ethernet
set [ find default-name=ether1 ] comment=modem
set [ find default-name=ether2 ] comment=switch
set [ find default-name=ether3 ] comment=Dumpty
set [ find default-name=ether4 ] comment=Humpty
set [ find default-name=ether5 ] comment="Computer Yves (rechtstreeks)"
set [ find default-name=ether6 ] comment=Alarm
/interface vlan
add interface=BLUE-BRIDGE name=BLUE-VLAN vlan-id=10
add interface=GREEN-BRIDGE name=GREEN-VLAN vlan-id=20
add interface=RED-BRIDGE name=RED-VLAN vlan-id=30
/caps-man datapath
add bridge=bridge-local name=VO-Datapath
/caps-man security
add authentication-types=wpa2-psk disable-pmkid=yes encryption=aes-ccm \
    group-key-update=1h name=VO-WIFI-Security
add authentication-types=wpa2-psk encryption=aes-ccm name="VO-Guest network"
/caps-man configuration
add channel=VO-2.4-CH01 country=belgium datapath=VO-Datapath mode=ap name=\
    "Van Opstal-Wifi configuration-2.4GHz-CH01" security=VO-WIFI-Security \
    ssid=Van-Opstal_WL
add channel=VO-2.4-CH11 country=belgium datapath=VO-Datapath mode=ap name=\
    "Van Opstal-Wifi configuration-2.4GHz-CH11" security=VO-WIFI-Security \
    ssid=Van-Opstal_WL
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=VLANs
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip kid-control
add fri=0s-1d mon=0s-1d name=system-dummy sat=0s-1d sun=0s-1d thu=0s-1d tue=\
    0s-1d tur-fri=0s-1d tur-mon=0s-1d tur-sat=0s-1d tur-sun=0s-1d tur-thu=\
    0s-1d tur-tue=0s-1d tur-wed=0s-1d wed=0s-1d
/ip pool
add name=dhcp ranges=192.168.1.100-192.168.1.254
add name=BLUE-POOL ranges=192.168.10.100-192.168.10.254
add name=GREEN-POOL ranges=192.168.20.100-192.168.20.254
add name=RED-POOL ranges=192.168.30.100-192.168.30.254
/ip dhcp-server
add address-pool=dhcp interface=bridge-local name=local-network-DHCP
add address-pool=BLUE-POOL interface=BLUE-BRIDGE name=BLUE-DHCP-SERVER
add address-pool=GREEN-POOL interface=GREEN-BRIDGE name=GREEN-DHCP-SERVER
add address-pool=RED-POOL interface=RED-BRIDGE name=RED-DHCP-SERVER
/routing bgp template
set default disabled=no output.network=bgp-networks
/routing ospf instance
add disabled=no name=default-v2
/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2
/caps-man configuration
add channel=VO-2.4-CH01 country=belgium datapath=Gasten-Datapath mode=ap \
    name="Gasten-Wifi configuratie-2.4GHz-CH01" security="VO-Guest network" \
    ssid=VO-Gasten
add channel=VO-2.4-CH11 country=belgium datapath=Gasten-Datapath mode=ap \
    name="Gasten-Wifi configuratie-2.4GHz-CH11" security="VO-Guest network" \
    ssid=VO-Gasten
/caps-man datapath
add bridge=*F name=Gasten-Datapath
/caps-man manager
set enabled=yes
/caps-man manager interface
set [ find default=yes ] forbid=yes
add disabled=no interface=bridge-local
/caps-man provisioning
add action=create-dynamic-enabled master-configuration=\
    "Van Opstal-Wifi configuration-2.4GHz-CH01"
/interface bridge port
add bridge=bridge-local comment=defconf ingress-filtering=no interface=ether2
add bridge=bridge-local comment=defconf ingress-filtering=no interface=ether3
add bridge=bridge-local comment=defconf ingress-filtering=no interface=ether4
add bridge=bridge-local comment=defconf ingress-filtering=no interface=ether5
add bridge=GREEN-BRIDGE comment=defconf ingress-filtering=no interface=ether6 \
    pvid=20
add bridge=bridge-local comment=defconf ingress-filtering=no interface=ether7
add bridge=bridge-local comment=defconf ingress-filtering=no interface=ether8
add bridge=RED-BRIDGE comment=defconf ingress-filtering=no interface=ether9 \
    pvid=30
add bridge=bridge-local comment=defconf ingress-filtering=no interface=\
    ether10
add bridge=bridge-local interface=BLUE-VLAN pvid=10
add bridge=bridge-local interface=GREEN-VLAN pvid=20
add bridge=bridge-local interface=RED-VLAN pvid=30
/ip neighbor discovery-settings
set discover-interface-list=all
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface bridge vlan
add bridge=bridge-local tagged=BLUE-VLAN vlan-ids=10
add bridge=bridge-local tagged=GREEN-VLAN vlan-ids=20
add bridge=bridge-local tagged=RED-VLAN vlan-ids=30
/interface detect-internet
set detect-interface-list=all
/interface list member
add comment=defconf interface=bridge-local list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=BLUE-VLAN list=VLANs
add interface=GREEN-VLAN list=VLANs
add interface=RED-VLAN list=VLANs
/interface ovpn-server server
set auth=sha1,md5
/ip address
add address=192.168.1.1/24 comment=defconf interface=bridge-local network=\
    192.168.1.0
add address=192.168.10.1/24 interface=BLUE-BRIDGE network=192.168.10.0
add address=192.168.20.1/24 interface=GREEN-BRIDGE network=192.168.20.0
add address=192.168.30.1/24 interface=RED-BRIDGE network=192.168.30.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=192.168.1.0/24 comment=defconf dns-server=8.8.8.8,8.8.4.4 \
    gateway=192.168.1.1 netmask=24
add address=192.168.10.0/24 gateway=192.168.10.1 netmask=24
add address=192.168.20.0/24 gateway=192.168.20.1 netmask=24
add address=192.168.30.0/24 gateway=192.168.30.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip dns static
add address=192.168.1.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip route
add disabled=no dst-address=192.168.1.1/32 gateway=BLUE-BRIDGE routing-table=\
    main suppress-hw-offload=no
add disabled=no distance=1 dst-address=192.168.1.1/32 gateway=GREEN-BRIDGE \
    pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10
add disabled=no distance=1 dst-address=192.168.1.1/32 gateway=RED-BRIDGE \
    pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10
add disabled=no dst-address=192.168.10.3/32 gateway=BLUE-BRIDGE \
    routing-table=main suppress-hw-offload=no
/routing bfd configuration
add disabled=no
/system clock
set time-zone-name=Europe/Brussels
/system identity
set name="King Richard III"
/system note
set show-at-login=no
/system routerboard settings
set auto-upgrade=yes force-backup-booter=yes silent-boot=yes
/tool graphing interface
add
/tool graphing resource
add
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool romon
set enabled=yes

Humpty (hAP ax²):

# 2023-06-26 20:33:18 by RouterOS 7.10
# software id = IJT3-YVDT
#
# model = C52iG-5HaxD2HaxD
# serial number = HE608PB8KQ0
/interface bridge
add name=BLUE-BRIDGE
add name=GREEN-BRIDGE
add name=RED-BRIDGE
add admin-mac=48:A9:8A:6F:1D:11 auto-mac=no name=bridge-local
/interface vlan
add interface=BLUE-BRIDGE name=BLUE-VLAN vlan-id=10
add interface=GREEN-BRIDGE name=GREEN-VLAN vlan-id=20
add interface=RED-BRIDGE name=RED-VLAN vlan-id=30
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wifiwave2 channel
add band=2ghz-n comment="Channel 1" disabled=no frequency=2412 name=\
    "VO-Basic Channel setup - 2.4Ghz" skip-dfs-channels=disabled width=20mhz
add band=5ghz-ax comment="Channel 40" disabled=no frequency=5200 name=\
    "VO-Basic channel setup - 5GHz" skip-dfs-channels=disabled width=\
    20/40/80mhz
/interface wifiwave2 datapath
add bridge=bridge-local disabled=no name=VO-Datapath
/interface wifiwave2 security
add authentication-types=wpa2-psk disable-pmkid=yes disabled=no encryption=\
    ccmp group-key-update=1h name="VO-Basic security" wps=disable
/interface wifiwave2 configuration
add antenna-gain=0 country=Belgium datapath=VO-Datapath disabled=no mode=ap \
    name="Van-Opstal_WL config" security="VO-Basic security" ssid=\
    Van-Opstal_WL
/interface wifiwave2
set [ find default-name=wifi2 ] channel="VO-Basic Channel setup - 2.4Ghz" \
    channel.frequency=2412 configuration="Van-Opstal_WL config" \
    configuration.mode=ap disabled=no name=wifi-2.4GHz
set [ find default-name=wifi1 ] channel="VO-Basic channel setup - 5GHz" \
    channel.frequency=5200 configuration="Van-Opstal_WL config" \
    configuration.hide-ssid=no .mode=ap disabled=no name=wifi-5GHz
add configuration.mode=ap .ssid=BLUE-WIFI datapath.vlan-id=10 disabled=no \
    mac-address=4A:A9:8A:6F:1D:16 master-interface=wifi-2.4GHz name=BLUE-WIFI \
    security="VO-Basic security"
add configuration.mode=ap .ssid=GREEN-WIFI datapath.vlan-id=20 disabled=no \
    mac-address=4A:A9:8A:6F:1D:15 master-interface=wifi-2.4GHz name=\
    GREEN-WIFI security="VO-Basic security"
add configuration.mode=ap .ssid=RED-WIFI datapath.vlan-id=30 disabled=no \
    mac-address=4A:A9:8A:6F:1D:17 master-interface=wifi-2.4GHz name=RED-WIFI \
    security="VO-Basic security"
/ip kid-control
add fri=0s-1d mon=0s-1d name=system-dummy sat=0s-1d sun=0s-1d thu=0s-1d tue=\
    0s-1d tur-fri=0s-1d tur-mon=0s-1d tur-sat=0s-1d tur-sun=0s-1d tur-thu=\
    0s-1d tur-tue=0s-1d tur-wed=0s-1d wed=0s-1d
/zerotier
set zt1 comment="ZeroTier Central controller - https://my.zerotier.com/" \
    name=zt1 port=9993
/zerotier interface
add allow-default=no allow-global=no allow-managed=yes disabled=no instance=\
    zt1 name=van-opstal-zerotier network=db64858feded82f0
/dude
set enabled=yes
/interface bridge port
add bridge=bridge-local comment=defconf interface=ether2 pvid=99
add bridge=bridge-local comment=defconf interface=ether3 pvid=99
add bridge=bridge-local comment=defconf interface=ether4 pvid=99
add bridge=bridge-local comment=defconf interface=ether5 pvid=99
add bridge=bridge-local comment=defconf interface=wifi-5GHz pvid=99
add bridge=bridge-local comment=defconf interface=wifi-2.4GHz pvid=99
add bridge=BLUE-BRIDGE interface=BLUE-WIFI pvid=10
add bridge=GREEN-BRIDGE interface=GREEN-WIFI pvid=20
add bridge=RED-BRIDGE interface=RED-WIFI pvid=30
add bridge=bridge-local interface=BLUE-VLAN pvid=10
add bridge=bridge-local interface=GREEN-VLAN pvid=20
add bridge=bridge-local interface=RED-VLAN pvid=30
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ipv6 settings
set max-neighbor-entries=15360
/interface bridge vlan
add bridge=bridge-local tagged=BLUE-BRIDGE vlan-ids=10
add bridge=bridge-local tagged=GREEN-BRIDGE vlan-ids=20
add bridge=bridge-local tagged=RED-BRIDGE vlan-ids=30
/interface detect-internet
set detect-interface-list=all
/interface list member
add comment=defconf interface=bridge-local list=LAN
add comment=defconf interface=ether1 list=WAN
/interface wifiwave2 access-list
add action=accept comment="GSM Rosalie" disabled=no interface=any \
    mac-address=46:59:2E:8E:05:E0
add action=accept disabled=no interface=any mac-address=18:69:D8:01:5E:8B
add action=accept disabled=no interface=any mac-address=30:8E:7A:7A:4E:AC
add action=accept disabled=no interface=any mac-address=60:FB:00:38:CE:2F
add action=accept disabled=no interface=any mac-address=68:57:2D:DD:4D:7C
add action=accept disabled=no interface=any mac-address=84:7A:B6:15:89:A3
add action=accept disabled=no interface=any mac-address=B4:FB:E3:DF:42:6D
add action=accept disabled=no interface=any mac-address=B4:FB:E3:E0:02:29
add action=accept disabled=no interface=any mac-address=B4:FB:E3:EE:6F:38
add action=accept disabled=no interface=any mac-address=D4:A6:51:29:D9:51
add action=accept disabled=no interface=any mac-address=D4:A6:51:F2:C9:59
add action=accept disabled=no interface=any mac-address=DC:A6:32:4A:E9:E5
/interface wifiwave2 cap
set certificate=request discovery-interfaces=bridge-local enabled=yes \
    slaves-datapath=VO-Datapath
/interface wifiwave2 capsman
set package-path="" require-peer-certificate=no upgrade-policy=none
/ip address
add address=192.168.1.2/24 interface=bridge-local network=192.168.1.0
add address=192.168.10.2/24 interface=BLUE-BRIDGE network=192.168.10.0
add address=192.168.20.2/24 interface=GREEN-BRIDGE network=192.168.20.0
add address=192.168.30.2/24 interface=RED-BRIDGE network=192.168.30.0
/ip dhcp-client
add interface=bridge-local
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.1.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
add action=accept chain=input protocol=icmp
add action=accept chain=input connection-state=established
add action=accept chain=input connection-state=related
add action=drop chain=input in-interface-list=!LAN
add action=fasttrack-connection chain=forward connection-state=\
    established,related hw-offload=yes
add action=accept chain=forward connection-state=established,related
/ip firewall nat
add action=passthrough chain=unused-hs-chain comment=\
    "place hotspot rules here" disabled=yes
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip upnp interfaces
add interface=bridge-local type=internal
add interface=ether1 type=external
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/system clock
set time-zone-name=Europe/Brussels
/system identity
set name=Humpty
/system note
set show-at-login=no
/system scheduler
add comment="reboot om te verhinderen dat wifi plots wegvalt." disabled=yes \
    interval=12h name="herstart elke avond" on-event="daily reboot" policy=\
    reboot start-date=2023-05-14 start-time=16:30:01
/tool graphing interface
add
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool romon
set enabled=yes

and finaly Dumpty (hAP ax²):

# 2023-06-26 20:33:14 by RouterOS 7.10
# software id = HH4P-3WY5
#
# model = C52iG-5HaxD2HaxD
# serial number = HE908HQCE0T
/interface bridge
add name=BLUE-BRIDGE
add name=GREEN-BRIDGE
add name=RED-BRIDGE
add admin-mac=48:A9:8A:92:7B:FF auto-mac=no comment=defconf name=bridge-local
/interface vlan
add interface=BLUE-BRIDGE name=BLUE-VLAN vlan-id=10
add interface=GREEN-BRIDGE name=GREEN-VLAN vlan-id=20
add interface=RED-BRIDGE name=RED-VLAN vlan-id=30
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wifiwave2 channel
add band=2ghz-n comment="Channel 11" disabled=no frequency=2462 name=\
    "VO-Basic Channel setup - 2.4Ghz" skip-dfs-channels=disabled width=20mhz
add band=5ghz-ax comment="Channel 161" disabled=no frequency=5805 name=\
    "VO-Basic channel setup - 5GHz" skip-dfs-channels=disabled width=\
    20/40/80mhz
/interface wifiwave2 datapath
add bridge=bridge-local disabled=no name=VO-Datapath
/interface wifiwave2 security
add authentication-types=wpa2-psk disable-pmkid=yes disabled=no encryption=\
    ccmp group-key-update=1h name="VO-Basic security" wps=disable
/interface wifiwave2 configuration
add antenna-gain=0 country=Belgium disabled=no mode=ap name=\
    "Van-Opstal_WL config" security="VO-Basic security" ssid=Van-Opstal_WL
/interface wifiwave2
set [ find default-name=wifi2 ] channel="VO-Basic Channel setup - 2.4Ghz" \
    channel.skip-dfs-channels=10min-cac configuration="Van-Opstal_WL config" \
    configuration.mode=ap disabled=no name=wifi-2.4GHz security=\
    "VO-Basic security"
set [ find default-name=wifi1 ] channel="VO-Basic channel setup - 5GHz" \
    channel.frequency=5805 .skip-dfs-channels=10min-cac configuration=\
    "Van-Opstal_WL config" configuration.mode=ap disabled=no mtu=1500 name=\
    wifi-5GHz security="VO-Basic security"
add configuration.mode=ap .ssid=BLUE-WIFI datapath.vlan-id=10 disabled=no \
    mac-address=4A:A9:8A:92:7C:04 master-interface=wifi-2.4GHz name=BLUE-WIFI \
    security="VO-Basic security"
add configuration.mode=ap .ssid=GREEN-WIFI disabled=no mac-address=\
    4A:A9:8A:92:7C:05 master-interface=wifi-2.4GHz name=GREEN-WIFI security=\
    "VO-Basic security"
add configuration.mode=ap .ssid=RED-WIFI disabled=no mac-address=\
    4A:A9:8A:92:7C:06 master-interface=wifi-2.4GHz name=RED-WIFI security=\
    "VO-Basic security"
/ip kid-control
add fri=0s-1d mon=0s-1d name=system-dummy sat=0s-1d sun=0s-1d thu=0s-1d tue=\
    0s-1d tur-fri=0s-1d tur-mon=0s-1d tur-sat=0s-1d tur-sun=0s-1d tur-thu=\
    0s-1d tur-tue=0s-1d tur-wed=0s-1d wed=0s-1d
/zerotier
set zt1 comment="ZeroTier Central controller - https://my.zerotier.com/" \
    name=zt1 port=9993
/zerotier interface
add allow-default=no allow-global=no allow-managed=yes disabled=no instance=\
    zt1 name=van-opstal-zerotier network=db64858feded82f0
/dude
set enabled=yes
/interface bridge port
add bridge=bridge-local comment=defconf interface=ether2
add bridge=bridge-local comment=defconf interface=ether3
add bridge=bridge-local comment=defconf interface=ether4
add bridge=bridge-local comment=defconf interface=ether5
add bridge=bridge-local comment=defconf interface=wifi-5GHz
add bridge=bridge-local comment=defconf interface=wifi-2.4GHz
add bridge=BLUE-BRIDGE interface=BLUE-WIFI pvid=10
add bridge=GREEN-BRIDGE interface=GREEN-WIFI pvid=20
add bridge=RED-BRIDGE interface=RED-WIFI pvid=30
add bridge=bridge-local interface=BLUE-VLAN pvid=10
add bridge=bridge-local interface=GREEN-VLAN pvid=20
add bridge=bridge-local interface=RED-VLAN pvid=30
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ipv6 settings
set max-neighbor-entries=15360
/interface bridge vlan
add bridge=bridge-local tagged=BLUE-BRIDGE vlan-ids=10
add bridge=bridge-local tagged=GREEN-BRIDGE vlan-ids=20
add bridge=bridge-local tagged=RED-BRIDGE vlan-ids=30
/interface detect-internet
set detect-interface-list=all
/interface list member
add comment=defconf interface=bridge-local list=LAN
add comment=defconf interface=ether1 list=WAN
/interface wifiwave2 access-list
add action=accept comment="GSM Yves" disabled=no interface=any mac-address=\
    6A:5E:79:C2:14:C5
add action=accept comment="Tablet Yves" disabled=no interface=any \
    mac-address=78:40:E4:1E:41:02
add action=accept comment="Laptop Astrid" disabled=no interface=any \
    mac-address=68:57:2D:DD:2F:2E
add action=accept comment="GSM Rosalie" disabled=no interface=any \
    mac-address=46:59:2E:8E:05:E0
add action=accept comment="Laptop Astrid" disabled=no interface=any \
    mac-address=68:57:2D:DD:2F:2E
add action=accept comment="Laptop Rosalie" disabled=no interface=any \
    mac-address=2C:8D:B1:AD:CA:C8
add action=accept comment="laptop Petra" disabled=no interface=any \
    mac-address=8C:C8:4B:38:7A:D7
add action=accept comment="GSM Petra" disabled=no interface=any mac-address=\
    4E:3D:E2:D3:AA:87
/interface wifiwave2 cap
set discovery-interfaces=bridge-local enabled=yes slaves-datapath=VO-Datapath
/ip address
add address=192.168.1.3/24 interface=bridge-local network=192.168.1.0
add address=192.168.10.3/24 interface=BLUE-BRIDGE network=192.168.10.0
add address=192.168.20.3/24 interface=GREEN-BRIDGE network=192.168.20.0
add address=192.168.30.3/24 interface=RED-WIFI network=192.168.30.0
/ip dhcp-client
add interface=bridge-local
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.1.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
add action=fasttrack-connection chain=forward connection-state=\
    established,related hw-offload=yes
add action=accept chain=forward connection-state=established,related
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/system clock
set time-zone-name=Europe/Brussels
/system identity
set name=Dumpty
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool romon
set enabled=yes

holvoetn · June 26, 2023, 7:21pm

Are those switches managed or dumb switches ?
If the latter, they will most likely strip away vlan tags.

YvesVO · June 27, 2023, 1:15pm

I believe they are dumb switches … but they’re not in between the hAP’s and the router … these are directly connected (ether 3 and 4).
The switches and all that is connected should all be in the local LAN … only stuff that is directly connected to the router (KING) should be devided into separate VLANS … that and the wifi (if possible).

YvesVO · July 25, 2023, 3:24pm

OK … since no one could (or wanted to) answer my last reply I changed all the dumb switches with MikroTik switches (RB260GSP and CRS326-24G-2S+IN) … plugged them in and …
Wait for it …

NOTHING …

Still doesn’t work …
I mean, it works just like before … the regular networks work and the WIFI that was there by default worked … but not the VLANS (and the “guest” networks).
I did not configure anything extra on the switches though … should I also define the VLAN’s on the switches or is there no need for that?

Fischelsberger · October 30, 2023, 9:04pm

Hi,

First of all, I nearly have no experience with Mikrotik, but much with SonicWall, Juniper, Aruba/HPE, but I simply can’t understand what is happening here…

I think I have the exact same Problem and it really bothers me…

My Setup in my Test now is:
Router → Unifi-Switch → MikroTIK hexS → MikroTIK HaP ax2

The Router and Switch are both tagged on Vlan 764 in my case.
hexS got a bridge (default) w/o VLAN Filtering.
HaP ax2 got a bridge (default) w/o VLAN Filtering.

Roles:
Router:

DHCP-Server
Firewall
no NAT (reverse Route is available because I control the router in front of that one as well)

Unifi Switch:

Switch
VLAN is available and working

hexS:

“Switch” / Bridge
CapsMAN v2

HaP ax2:

Wifi AP
in future: Switch as well

The part which bothers me the most is, if I add a VLAN Interface to the hexS and HAP in VLAN 764, they will receive an IP-Address from my other Router/DHCP-Server.
But if I simply try to move a Wifi in this VLAN, it’s not working.
On the other hand, if I define a new VLAN (like VLAN 40) set it up as normal Network on the hexS, define NAT, DHCP and so on, create the Wifi Profile.
It’s just working…

I’ve tried to debug the VLAN Connectivity with Wireshark and the integrated Sniffer on the hAP and hex.
It seems that the VLAN 764 (not supplied by MikroTIK hex) is simply not coming from the Wi-Fi Interface to the bridge.
On the other hand, VLAN 40 is just working…

Sorry for the unsorted “thought dump”, I’m not quite used to answer in forums, but I simply can’t understand what is happening.
And I’m “Happy” that someone want to use the same concept as me and it’s not “my fault”…

mkx · October 31, 2023, 8:41am

You should post configuration of both Mikrotiks to get any meaningful feedback.
Execute /export hide-sensitive file=anynameyouwish in terminal window, fetch file off device, open it with text editor, redact any remaining sensitive data (such as serial number or wireless password; public IP address would be sensitive as well but in your topology it shouldn’t be set on mikrotiks) and then copy-paste it inside [__code] [/code] environment (the icon in post editor button bar).

Fischelsberger · November 11, 2023, 9:19am

Hi mkx,

sorry for the delay…
It’s just my personal “Project” at Home and so it’s not my highest priority.

TLDR: Did a (for now unknown) mistake, it’s simply working…

Today I’ve went to backup my config and also export config as script to setup a new environment, so i can reproduce the error without some changes i did 1st Time to try to fix it…
I then checked the updates and saw 7.12 got release (previously on 7.11.2).

So I’ve did the following:

reset config
upgrade firmware
applied the Capsman VLAN-Example (https://help.mikrotik.com/docs/display/ROS/WifiWave2#WifiWave2-CAPsMAN-CAPVLANconfigurationexample:)

I’ve did some minor changes, because I don’t wanted to setup a new bridge and also no DHCP-Server on the bridge.
So my edit of the example looked like this:

/interface vlan
add interface=bridge name=VLAN20 vlan-id=20
add interface=bridge name=VLAN30 vlan-id=30
#definfing channel is optional
/interface wifiwave2 channel
add frequency=5180,2412 name=CH
/interface wifiwave2 datapath
add bridge=bridge name=VLAN20 vlan-id=20
add bridge=bridge name=VLAN30 vlan-id=30
/interface wifiwave2 security
add authentication-types=wpa2-psk,wpa3-psk name=security
#make sure to change the country to one where you reside in
/interface wifiwave2 configuration
add channel=CH country=Germany datapath=VLAN20 name=2Ghz_main security=security ssid=2G_MAIN
add channel=CH country=Germany datapath=VLAN30 name=2Ghz_guest security=security ssid=2G_Guest
add channel=CH country=Germany datapath=VLAN20 name=5Ghz_main security=security ssid=5G_MAIN
add channel=CH country=Germany datapath=VLAN30 name=5Ghz_guest security=security ssid=5G_Guest
/ip pool
add name=dhcp_pool1 ranges=192.168.20.2-192.168.20.254
add name=dhcp_pool2 ranges=192.168.30.2-192.168.30.254
/ip dhcp-server
add address-pool=dhcp_pool1 interface=VLAN20 name=dhcp2
add address-pool=dhcp_pool2 interface=VLAN30 name=dhcp3
/interface bridge vlan
add bridge=bridge tagged=bridge vlan-ids=20
add bridge=bridge tagged=bridge vlan-ids=30
/interface wifiwave2 capsman
set enabled=yes interfaces=bridge
/interface wifiwave2 provisioning
add action=create-dynamic-enabled master-configuration=2Ghz_main name-format=2G-%I slave-configurations=2Ghz_guest supported-bands=2ghz-ax
add action=create-dynamic-enabled master-configuration=5Ghz_main name-format=5G-%I slave-configurations=5Ghz_guest supported-bands=5ghz-ax
/ip address
add address=192.168.20.1/24 interface=VLAN20 network=192.168.20.0
add address=192.168.30.1/24 interface=VLAN30 network=192.168.30.0
/ip dhcp-server network
add address=192.168.20.0/24 gateway=192.168.20.1
add address=192.168.30.0/24 gateway=192.168.30.1

After I’ve connected to “2G_Guest” successfully, I went for another setup of my “external VLAN” setup:

/interface bridge vlan
add bridge=bridge tagged=bridge vlan-ids=764
/interface wifiwave2 datapath
add bridge=bridge disabled=no name=dp_ho vlan-id=764
/interface wifiwave2 configuration
add channel=CH country=Germany datapath=dp_ho disabled=no name=2ghz_ho security=security ssid=homeoffice-TEST

(This was not the actual setup, because i did it via GUI, but iirc, these are the only 3 things I did)

AND: It worked!!!

So, now i went to downgrade to 7.11.2 again, to validate if it’s still working.
And it worked aswell!

I’m not sure if I want to investigate my Error…
If you would like to still see the Export of hexs and hap just hmu.
It’s not done with “hide-sensitive”, but I could simply restore it (again) and export it another time or just search/replace Serial-Number/MAC-Address

Thank you for your assistance offered.